From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16273 invoked by alias); 7 May 2014 14:20:18 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 16250 invoked by uid 89); 7 May 2014 14:20:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.0 required=5.0 tests=AWL,BAYES_40 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 07 May 2014 14:20:15 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 4E1CE8E09EA; Wed, 7 May 2014 16:20:12 +0200 (CEST) Date: Wed, 07 May 2014 14:20:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Microsoft Accounts (was Re: Problem with "None" Group on Non-Domain Members) Message-ID: <20140507142012.GJ30918@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20140505154230.GB7694@calimero.vinschen.de> <5367B990.8050907@breisch.org> <20140505165723.GM30918@calimero.vinschen.de> <5367DEE5.5010407@breisch.org> <20140506125203.GO30918@calimero.vinschen.de> <53691564.1070200@breisch.org> <20140506171626.GZ30918@calimero.vinschen.de> <53692867.4060305@breisch.org> <20140507115730.GE30918@calimero.vinschen.de> <109019802.20140507175308@yandex.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VuBTcNUPe5zwk2q6" Content-Disposition: inline In-Reply-To: <109019802.20140507175308@yandex.ru> User-Agent: Mutt/1.5.21 (2010-09-15) X-SW-Source: 2014-05/txt/msg00128.txt.bz2 --VuBTcNUPe5zwk2q6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2022 On May 7 17:53, Andrey Repin wrote: > Greetings, Corinna Vinschen! >=20 > > I toyed around with the Microsoft Account a bit more. And here's why > > the primary group SID being identical to the user SID is not a good > > idea: >=20 > > Security checks. >=20 > > For instance: >=20 > > $ echo $USER > > VMBERT8164+local_000 > > $ screen > > Directory /tmp/uscreens/S-VMBERT8164+local_000 must have mode 700. >=20 > > Huh? >=20 > > $ ls -l /tmp/uscreens/ > > total 0 > > drwxrwx---+ 1 VMBERT8164+local_000 VMBERT8164+local_000 0 May 7 12:4= 4 S-VMBERT8164+local_000 >=20 > > Uh Oh. >=20 > I concur. > But mostly because of blind check "if it's not 700, it's wrong". > No, it's not wrong, you dumb piece of code, it's your check isn't right. No, the check is right from a POSIX POV. How is a POSIX application supposed to know that the group with gid 12345 is in fact the user with the uid 12345? That's not possible in a POSIX environment. > > This will be a problem with other security sensitive applications, too. > > Sshd comes to mind. >=20 > > So I guess we really should make sure the primary group SID is some > > valid group, not the user's SID. >=20 > > "None" is not an option since it's not in the user token group list. >=20 > > "Users" seems to be the best choice at first sight. >=20 > For local SAM account. ...or "Domain Users" for AD accounts, probably. > > Alternatively we could use the S-1-11-xxx SID of the Microsoft Account. > > That would be in line with the idea to have a user-specific primary > > group. >=20 > For M$ accounts, perhaps. Eh? This thread *is* about Microsoft Accounts. We don't have this problem for normal accounts. > When you said I can set up a primary group for my account in SAM database, > what did you mean? The magic or something more system-specific? The magic, yes. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --VuBTcNUPe5zwk2q6 Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTakEcAAoJEPU2Bp2uRE+gSEoP/1H37ji/UhxmTEMy9n/FJBhu 4GttRcFpwg2hNE3WYiHOA9/18kwE3wELWZ0qwNR0bL8RVtotCLYSCuO2lkkGcb+A hxNapHcIxOIOe3ddPRDxKFXnu55ZEqYpIVJOQIEfCbE1vPxad3sOBgA+kPYaZfby e+b+ytNjJN+2lRAkOmgDt73k9RIRSDtmTvpOmHnYe2yA1T5jzwnVocRK3frZIK6k pDoClcN9KLupy8XzRCvZK4EypLFO41A7/lJ/J+rUNBA0TM50+fWhj/EBP62ZvcgV QSlEKSRXjgpDu57Qc8PLhY0SFAuHRErQvjVNvscUQNgeR8hCcAZ+iZC3nMg9Xmkf dmcwhiaDYyJXQ9c7PshfirN2Vqq0A4dCjBjmFaI167SfmuJeNsHLYVdILymTKoIV imn0e6x0UBk9H++uzOwF2vReHZ/V9tM/YeO4s0oFzV0OEfR1BvnruVi9pOIFHe/U MGFccPFDKG5T8oKWyIVm0hD4afzxMreIoTpQJ2QUMbEhM9OjKyWrKtemBvk03LYm DjZS/3/JVK+r34mu7YHaa1TvkxZ52L3qJiLWrHLCU42aSAptFEtE+9vqe5bjEEDD D/NBSM2bR0qEO2GRiCk+By0BEuxHIdk0aGMvUj/+++rZx2XsLXezLW2v4byPNypd DdbEdSdl48b/YdX+3LE5 =GvD6 -----END PGP SIGNATURE----- --VuBTcNUPe5zwk2q6--